My humble taughts and discovries on the path of Information Security

Category Archives: Hacking/Breaking

Time and time again, the hacking and ex-filtration of corporate data is still going unabated with the latest victim being one of the most important organizations for the internet infrastructure. ICANN has just announced the hackers were able to infiltrate its systems via email phishing and were able to gain access to some of its systems including systems that contained its root zone information.

Prior to ICANN hacking incident, Sony suffered one of the worst breaches of the year and terabytes of data were ex-filtrated and posted online. Below are some of the most prominent hacking incidents of the year 2014 in my opinion. It goes without saying that these are just the ones who made it to the headlines and being reported on. Most likely the number of unreported or undetected incidents will be far more than the ones which made news.

Regin – In Reg

Security researchers are talking about a newly discovered malware with a possibility of being created years ago and with sophisticated capabilities of spying on its victims. According to Symantec, the vicitms are spread across many countries, with most infections coming from Russia and Saudi Arabia. Most researchers agree that the level of sophistication that has gone into developing this malware indicates that a nation state or states are behind it and the most likely suspects are the western intelligence agencies.

Encryption is used throughout the entire process starting from infecting the victim all the way to extracting sensitive information making the detection of this malware so far almost impossible.

Below are detailed analysis of this malware posted by Symantec and Kaspersky Lab.

A vulnerability in Unix-based operating systems using the command interpreter called Bourne-again shell or Bash has been discovered last week by an IT engineer named Stephane Chazelas taking the security world by storm. The severity of the bug and the wide spread use of Bash has led mainstream newspapers such as BBC, CNN, Guardian, and so many prominent security bloggers and researchers to report on the story. Social media is also rife with people discussing, commenting, showing concern, and even joking about it.

Bash exists on many operating systems, including embedded ones such as the ones running on Android phones, Wi-Fi routers, and even TVs, making the vulnerability widely spread and possibly the biggest in history. The simplicity with which the vulnerability can be exploited has given the bug a critical severity with most vendors advising prompt patching. If the bug is exploited by attackers, they can gain unauthorized information such as passwords and configuration files or can take over the system completely.

This looks like it is going to be a security nightmare for enterprises for many weeks to come as they rush to patch their vulnerable servers before the bad guys get to them. With that said, it is time for me to go back and do the discovery of this dirty bug and put in the remediation strategies for our infrastructure.

As IT professionals, we are bound to run into problems every now and then during the course of our work. One of the most common problems i have seen is a lost password to a system, application, or network devices. I have had my share of losing and recovering passwords for many systems and network devices except for Window based systems until an opportunity presented itself today so i set out on a search mission on Google to find how to do it. Thanks to many who shared their posts and videos i was able to successfully recover using a simple method. So this post is to explain what i have found on the web on how to recover from a lost Windows 2008 password. If we are able to get a command prompt as a recovery option, then i the procedure should also work on Windows 7, 8, and other versions of 2008 because they all contain the “Utilman.exe” utility which is the main reason why this trick works as we shall see below.

Below are the steps i have followed to recover successfully one of my test systems. The procedure involves rebooting the system so it should be planned if is to be applied on production systems.

Steps to Recovery

You will need to find the Windows OS installation media for the system you are trying to recover and mount it into the CD Rom and reboot the system.

Ensure your BIOS is set to boot from the CD Rom first. If not go to the BIOS, change it, save the changes and continue with the reboot.

While restarting you will be asked if you want to boot from the CD. Press enter and the CD Rom files will start to load.

After the file loading is complete you will come across the screen below. Click next.

On the next screen, choose “Repair your computer” option.

You will find the next screen. Choose the hard drive on which Windows was installed and click next.

On the next screen choose “Command Prompt”. This will open a command prompt window.

On the command prompt window enter the exact commands that you see below in screen capture. The procedure basically takes a backup of the Utilman.exe and then replaces it with with a command prompt executable. You need to be in the System32 folder of your Windows installation when executing the commands.

Once done, close the command window and click on restart.

After the system reboots, then click on the “Ease of Access” icon found usually on the left bottom corner.

Because of the change we did above, this will open a command prompt instead of the utility. Now in the command prompt you have full access to the system and can add users. In the example below, we used the “Net User” command to add a user named “Hacker” with the password “TopS3cr3t” and added the user to the local “administrators” group.

Use the newly created user with the local administrator right to login to the system and reset the password of the user account you have lost the password for.

The past few days the security industry as well as the main stream media has been abuzz by the discovery made by one of the mobile security experts (Trevor Echart). He has unveiled how an application called Carrier IQ installed in over 140 million smart phones is collecting every key stroke, every application, location, and possibly more information than we might think and sending it to a remote location.

The term digital hacktivism means the use of computers and hacking knowledge to protest for a certain cause or promote political agenda. Among other thing, it involves the defacement of websites and making resources on the web unavailable. In a nutshell, it is the equivalent of holding a placard and protesting outside a certain entity.

One group that has been busy lately hacking and protesting online is the famous Anonymous group which was responsible earlier this year for bringing down among others, Mastercard’s website for refusing to accept payment for Wikileaks.

Just recently the group has been busy supporting the revolution in Syria and actively defacing the Syrian government websites. Recently the websites below have been defaced and an interactive map of the victims of the oppression have been posted.

First of all people against Iranian government or Islam, even if they live inside Iran, we can’t count them as Iranian people, I can’t! If they get power to harm Islam and Iranian government, spying for foreign spying agencies (Mossad, CIA, MI6), they won’t miss it. If they get paid from a foreign secret service, they can gather and send ANY information THEY CAN. These are not people of Iran, these type of people was my target, not normal people, people who don’t have anything to do with secret services, Iran’s enemies, Islam’s enemies, etc.

Second: this time attack was limited to Iran, next time, I’ll own as more as gateways in Israel, USA, Europe, as more as ISPs and attack will run there. You know man, I give promises and I keep them, I say words and they just happen, I told you wait and see previous time (Comodo case), now you see more. For an example ask a little from LMI.NET Berkley’s ISP, ask about user Todd and password loc!666 (for example), ask if they detected that I was owned their all Linux boxes and I got access to their DNS servers, you see? I’m really sharp, powerful, dangerous and smart! I told in Comodo hack case that I rule the internet, I’ll bring equality of controlling internet like USA for myself and you see I’m simply doing it, huh? How you are going to stop me you Mossad animals? Like this: http://www.silviacattori.net/article1421.html ? Israel still lives in age of stones, they kill people they just can’t see, they kill Palestinian children and women, believe me, they shouldn’t exists in this world. Hope to see that day soon…

Third: Do you know meaning of “Unstoppable Genius Digital Hacker?”

b) Some small brains said in their articles that it was easy hack, passwords was weak, it was a simple DNN bug, etc. etc. etc. bla bla bla blaaaa

First: If I gave all hackers of the world, ALL hackers by it’s real meaning, they wouldn’t be able to reach that network behind all those firewalls, routers and final networks without any access to internet which even doesn’t have internet connection. So shut the ….

Second: You think I generated SSL and code signing certificates by sending some SQL queries or sending some requests or using some ready made in desktop applications with 1234 password default? Ahhh man! Stop taking people’s work easy… There was netHSM with OpenBSD OS, only 1 port open, totally closed/protected with RSA SecurID and SafeSign Token management systems, they had around 8 smart card totally (a company with a lot of employees, only 8 smart card for SSL generation), you see? It’s not “simple DNN bug”, ok? I had remote desktop access in last RSA Certificate Manager system which had no any connection to internet, all files was coded in XUDA (there is no reference to XUDA programming language, even a single line), no one can access those server via Remote desktop, there was enough firewalls and routers which even blocked their own employeee to access that network. That network had different domain controller with different users, man! There is so much thing to explain, I’ll do it later, just know it is most sophisticated hack of all time, that’s all!

Third: You only heards Comodo (successfully issued 9 certs for me -thanks by the way-), DigiNotar (successfully generated 500+ code signing and SSL certs for me -thanks again-), StartCOM (got connection to HSM, was generating for twitter, google, etc. CEO was lucky enough, but I have ALL emails, database backups, customer data which I’ll publish all via cryptome in near future), GlobalSign (I have access to their entire server, got DB backups, their linux / tar gzipped and downloaded, I even have private key of their OWN globalsign.com domain, hahahaa)…. BUT YOU HAVE TO HEAR SO MUCH MORE! SO MUCH MORE! At least 3 more, AT LEAST! Wait and see, just wait a little bit like I said in Comodo case.

P.S. In wikipedia of SSL, it should be added for future that I caused to remove SSL or CA system security model, I have a special idea for private communication via browsers which could be used instead of SSL, but why should I share it and cause trouble for my own country? When USA and Israel can read all emails they want in Gmail, in Yahoo, data in Facebook, Twitter, etc. How my country should control those services? I’ll help my own country for it as I did and you saw it. If my country get equal right as USA in controlling emails, I may share my brilliant unbreakable encryption system for replacement of SSL and CA system.

World is shocked just by my Comodo and DigiNotar hack, what would happen if I show my other skills in cryptography, cryptanalysis, binary analysis (assessment), reversing, kernel programming, other high profiles servers I hacked and extracted all needed information from them, etc. etc. Ohhh! May they change internet model, hahahahaaaaa

P.S.S. never forget, I’m just 21, you have to see much more from me!

By the way, I heard that Comodo CEO (poor Melih) have talked again and said it was again State sponsored and I’m not a single hacker bla bla… Dear Melih, please wake up, I’m the only hacker, just I have shared some certs with some people in Iran, that’s all… Hacker is single, just know it

Certificates are used to convince users of a particular website that they are indeed visiting the legitimate website they intended to see such as when we are accessing our banking site or email provider . These certificates are issued and verified by the various Certificate Authorities or CAs that have been delegated these task. Certificates are a necessary component of encrypted communication used by SSL protocol.

So what if someone breaks into one of these CAs and is able to issue fake certificates for your banking site or let say Google for example? These individuals can then have the ability to either intercept and read your encrypted traffic if they have the ability to route your traffic to their intended destination.

Well this is what seemed to happen with a Dutch CA called Dignotar. Hackers were able to break into their system and issues fake certificated to several websites including the top level domain of Google (*.google.com). Excellent commentaries and analysis of the event and warnings have been posted by several prominent bloggers as well as Google, Mozzila, Microsoft and other companies which i am posting below.

The question remains if we are to blindly trust the CAs which are issuing these certificates, who should be monitoring and certifying these CAs for their security infrastructure they have in place.Excellent articles & blogs on the Dignotar Incident:

Bailey, a security consultant with iSec Partners, next week at Black Hat USA in Las Vegas plans to show a video of the car alarm attack he and fellow researcher Mat Solnik conducted. His Black Hat presentation is called “War Texting: Identifying and Interacting with Devices on the Telephone Network.”

Physical security systems attached to the GSM and cellular networks, such as GPS tracking devices and car alarms, as well as traffic control systems, home control and automation systems, and SCADA sensors, are ripe for attack, according to Bailey.

War texting is something that Bailey demonstrated earlier this year with personal GPS locators. He demonstrated how to hack vendor Zoombak’s personal GPS devices to find, target, and impersonate the user or equipment rigged with those consumer-focused devices. Those low-cost embedded tracking devices in smartphones or those personal GPS devices that track the whereabouts of your children, car, pet, or shipment can easily be intercepted by hackers, who can then pinpoint their whereabouts, impersonate them, and spoof their physical location, he says.

His Black Hat research, meanwhile, focuses more on the infrastructure, as well as on fingerprinting or classifying these devices among millions of wireless phone numbers. Once those devices have been spotted by an attacker on the network, they then can be abused. Car alarms are vulnerable, for instance, because they connect and idle on Internet-ready cellular networks, and receive messages from control servers, Bailey says.

Bailey declined to reveal the car alarm vendor. He says these and other devices are being exposed to reverse-engineering and abuse via their GSM or cell connections. “Their proprietary protocols [traditionally] were insulated and so obfuscated that you wouldn’t necessarily know what was going on under the hood,” Bailey says. “[But] car-alarm manufacturers now have to worry about reverse-engineering of their proprietary protocols.”

Bailey says an attacker can glean previously undisclosed aspects of the alarm device from the phone network. “Now that they’re OEM’ing GSM modules … they are leaving the whole business exposed. It’s serious from that angle: Attackers can finally get under the hood easily because they have a foot in the door with GSM,” he says.

Bailey plans to release new tools to help gather information about these devices. “[The tools] will show how easily you can set up a network connection for mass-scanning over the entire phone network,” he says. “The idea of war-texting communication with devices over the telephone network is simple.”

Bailey says the car alarm hack just scratches the surface of the inherent danger of having such devices GSM- and cell-connected. “What I got in two hours with the car alarm is pretty horrifying when you consider other devices like this, such as SCADA systems and traffic-control cameras. How quick and easy it is to re-engineer them is pretty scary,” he says.

He says he was able to get enough reconnaissance on a handful of other devices to do the same type of hack. “I didn’t bother to reverse-engineer them. Knowing their modules and understanding their design is enough” to pull off a war-texting attack, he says.

So how do you shore up security for these devices? “The real answer is engineering: getting the people designing these systems to analyze their security in a thorough fashion, which they are not doing now,” Bailey says.